topic Re: Can I use Radius Accounting or Diameter as source of rules in ISP network? in General Topicshttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5082#M3731
<HTML><HEAD></HEAD><BODY><P>It sounds like you are trying to use the "user Identification" feature to associate the&nbsp; User name with the IP. Normally we deploy in a corporate environment where everybody log into a Microsoft AD server. Our agent queries the security log and maps the username to the IP based on the log entry. Is your RADIUS server Microsoft?&nbsp;&nbsp;&nbsp; The agent does have an API&nbsp; that can be used for injecting user/IP info into the agent. I do not know how well this will work in your environment. </P><P></P><P>The Paloalto can be deployed in L2 mode like a switc/bridge or you can use VWIRE.&nbsp; VWIRE is limited to 2 ethernet ports. Anything hat enters on port 1 is forced out port 2. VWire does not have a MAC address or an IP address. It can not do NAT or tunnel termination. You would have to use a third interface and connect it to the same switch as the VWIRE to provide these services. Since the VWIRE has no MAC of its own, if we send a TCP reset,we spoof the source MAC so it becomes difficult to track down the source with a sniffer.</P><P>You need to check interface counters to confirm we sent the RST.</P><P></P><P>Steve Krall</P></BODY></HTML>Wed, 15 Jun 2011 20:41:21 GMTskrall2011-06-15T20:41:21ZCan I use Radius Accounting or Diameter as source of rules in ISP network?https://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5081#M3730
<HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I want to install the PA in my ISP net as transparent bridge, I'm looking for a way to configure the machine to get an IP address &amp; then translate it via Radius acounting / diameter protocol to the user info.</P><P></P><P>Do you know how it can be done? </P><P>How is it installed in other ISP's?</P><P></P><P>Tal</P></BODY></HTML>Sun, 12 Jun 2011 09:18:21 GMThttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5081#M3730tal_e2011-06-12T09:18:21ZRe: Can I use Radius Accounting or Diameter as source of rules in ISP network?https://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5082#M3731
<HTML><HEAD></HEAD><BODY><P>It sounds like you are trying to use the "user Identification" feature to associate the&nbsp; User name with the IP. Normally we deploy in a corporate environment where everybody log into a Microsoft AD server. Our agent queries the security log and maps the username to the IP based on the log entry. Is your RADIUS server Microsoft?&nbsp;&nbsp;&nbsp; The agent does have an API&nbsp; that can be used for injecting user/IP info into the agent. I do not know how well this will work in your environment. </P><P></P><P>The Paloalto can be deployed in L2 mode like a switc/bridge or you can use VWIRE.&nbsp; VWIRE is limited to 2 ethernet ports. Anything hat enters on port 1 is forced out port 2. VWire does not have a MAC address or an IP address. It can not do NAT or tunnel termination. You would have to use a third interface and connect it to the same switch as the VWIRE to provide these services. Since the VWIRE has no MAC of its own, if we send a TCP reset,we spoof the source MAC so it becomes difficult to track down the source with a sniffer.</P><P>You need to check interface counters to confirm we sent the RST.</P><P></P><P>Steve Krall</P></BODY></HTML>Wed, 15 Jun 2011 20:41:21 GMThttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5082#M3731skrall2011-06-15T20:41:21ZRe: Can I use Radius Accounting or Diameter as source of rules in ISP network?https://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5083#M3732
<HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>My enviorment is an ISP, the project is "Clean Pipe". the users are coming from their devices &amp; surf into the web, I need to catch them on the way (in L2 mode) &amp; based on thier profile in the radius (not AD / Microsoft) provide them services like AV, URL Filtering &amp; Mail Relay.</P><P></P><P>tal</P></BODY></HTML>Thu, 16 Jun 2011 08:13:08 GMThttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5083#M3732tal_e2011-06-16T08:13:08ZRe: Can I use Radius Accounting or Diameter as source of rules in ISP network?https://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5084#M3733
<HTML><HEAD></HEAD><BODY><P>Currently PAN-OS can provide user-identification service using AD, terminal server, or captive portal. We do not have the option to map the user IP based on Radius assigned IP address. If not using AD then captive portal may be your best option at this time as you can at least authenticate your users based on Radius when they hit the Captive Portal redirect page.</P><P></P><P>If you require user id methods other than what is mentioned above, I would suggest to speak to your Palo Alto Sales Rep or SE to inquire about roadmap and new feature requests.</P><P></P><P>-Richard</P></BODY></HTML>Sat, 18 Jun 2011 04:33:36 GMThttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5084#M3733rkim2011-06-18T04:33:36ZRe: Can I use Radius Accounting or Diameter as source of rules in ISP network?https://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5085#M3734
<HTML><HEAD></HEAD><BODY><P>You might explore using the UserID XML API to map RADIUS users to IP addresses:</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1348">https://live.paloaltonetworks.com/docs/DOC-1348</A></P><P></P><P>You would still need to use LDAP or AD to get user to group mappings.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML>Sat, 18 Jun 2011 19:59:10 GMThttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5085#M3734kbrazil2011-06-18T19:59:10ZRe: Can I use Radius Accounting or Diameter as source of rules in ISP network?https://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5086#M3735
<HTML><HEAD></HEAD><BODY><P>Hi, Richard,</P><P></P><P>Excuse me but I just have a question and this discusstion is similer.</P><P></P><P>Is there any roadmap or feature request you know now ? As the PAN-OS is revised to PAN-OS 5.0, I never see it in RADIUS server profile, so I just want to know if there any update till now.</P><P></P><P>Thanks,</P><P>Sample Wu</P></BODY></HTML>Tue, 25 Jun 2013 08:19:29 GMThttps://live.paloaltonetworks.com/t5/general-topics/can-i-use-radius-accounting-or-diameter-as-source-of-rules-in/m-p/5086#M3735paloalto.netfos2013-06-25T08:19:29Z